Home / Insights / HIPAA Penalties Now Mandatory for Willful Neglect

Insight HIPAA Penalties Now Mandatory for Willful Neglect

As of February 18, 2011, the OCR is required to impose penalties ranging from $10,000 to more than $50,000 for HIPAA violations caused by a covered entity’s or business associate’s willful neglect. Last month, the OCR imposed its first penalty under the new standard: a $4.3 million dollar fine against a Maryland health center.

HIPAA Penalties. As discussed in our past Client Updates, the federal HITECH Act dramatically increased penalties for HIPAA violations. The following chart summarizes the structure under the new enforcement rules:

Conduct

Penalty per violation
Penalty per identical type of violation per calendar year
Covered entity did not know and, by exercising reasonable diligence, would not have known of the violation $100 to $50,000

No penalty if corrected within 30 days.

OCR may waive or reduce penalties

Up to $1,500,000
Violation due to reasonable cause and not willful neglect $1,000 to $50,000

No penalty if corrected within 30 days.

OCR may waive or reduce penalties

Up to $1,500,000
Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew, or by exercising reasonable diligence, would have known that the violation occurred. $10,000 to $50,000

Penalties mandatory effective 2/18/11

Up to $1,500,000
Violation due to willful neglect but the violation was not corrected within 30 days after the covered entity knew, or by exercising reasonable diligence, would have known that the violation occurred At least $50,000

Penalties mandatory effective 2/18/11

Up to $1,500,000

(45 CFR § 160.400 et seq.).

Bad News: Mandatory Penalties Imposed for Willful Neglect. As reflected in the chart, violations due to willful neglect now carry a mandatory penalty ranging from $10,000 to at least $50,000. “Willful neglect” means the “conscious, intentional failure or reckless indifference to the obligation to comply with [HIPAA]…” (45 CFR 164.401). On February 4, 2011, HHS fined Cignet Health Center $4.3 million for HIPAA violations. Interestingly, the penalty did not relate to any breach of privacy; instead, Cignet was fined $1.3 million for failing to timely respond to 41 patients’ requests to access their health information, and $3 million for refusing to cooperate with the OCR’s investigation. The penalties confirm that HHS is serious about enforcing all aspects of HIPAA, not just the privacy provisions. It also sends a clear warning to those who do not take OCR investigations seriously.

Good News: May Avoid Penalties if No Willful Neglect. The good news is that the mandatory penalties are reserved for only those violations that involve willful neglect; for other violations, covered entities and business associates may avoid penalties altogether if they correct the situation within 30 days. Even if they fail to correct the situation, the OCR may waive or reduce penalties if it determines that the penalties in a given case would be excessive. Covered entities and business associates should take appropriate action to ensure that they are not deemed to act with willful neglect. Among others, entities should:

  • Implement the written policies that are required by HIPAA as set forth in 45 CFR part 164, including those dealing with use and disclosure rules, electronic security, patient rights, breach notification, and administrative requirements.
  • Train employees and other workforce members concerning the policies, and document the training.
  • Immediately address and correct any potential HIPAA violation and document such actions, including the imposition of sanctions against those who violated HIPAA.
  • If required, notify patients and HHS of privacy breaches.
  • Cooperate with the OCR during any investigation.

Taking such actions should protect covered entities from a finding of “willful neglect” and the mandatory penalties that may otherwise follow.

If you have questions about these or other legal issues, please contact a member of our Health Law group call 208.344.6000.

Related Insights

Current Status of the Idaho Charitable Assets Protection Act

This article gives a brief summary of the Idaho Charitable Assets Protection Act (ICAPA) and provides an update on its impact.

Read

IRS Form 5500 Reminders for Employer Plan Sponsors

The July 31, 2024 un-extended Form 5500 due date for calendar year employee benefit plans is fast approaching. Careful review of the Form 5500 with…

Read

Two New Employment Law Developments

Covers the new FTC rule barring non-compete agreements & the Department of Labor's salary threshold increase for FLSA white-collar exemptions.

Read

Corporate Transparency Act - Beneficial Ownership Information Reporting Requirement

The Corporate Transparency Act requires certain entities to disclose the beneficial ownership information from people who own or control a company. We're here to help…

Read